If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

rc.firewall

Hello everybody. I just finished this rc.firewall tonight and I thought I would ask those of you familiar with it what you think about it. Constructive criticism is welcome. It appears to work quite well, nmap, SATAN, SARA, Nessus all gave came up with nada, so it is doing it's job as far as I can tell. My experience has been with ipfilter on Free/OpenBSD and this is my first serious crack at a comprehensive rc.firewall for iptables v1.2.2.

The system I am using here is Slackware Linux 8.0 running the 2.4.16 kernel with the grsecurity patch grsecurity-1.9.2-2.4.16 and all of the security goodness options turned on.

I consider this rc.firewall to be BETA and would appreciate feedback on any issues you come across.

//note: This rc.firewall is built for my system, I do not use modules as they *can* pose a security risk as they are capable of being trojaned. A section to enable modules is included but commented out. If you have iptables load as a module but not at boot time, you will need to uncomment that section for this to be effective.

##################### and away we go
#!/bin/bash
#
# rc.firewall iptable packet filtering script by UberC0der
#
# Place this in /etc and chmod 700 it then run /etc/rc.firewall
# This script should flush your existing rules, so be sure and know what
# they were before you use this script. My personal suggestion is to
# to put them in a file named something like tables.rules under /etc.
# That way if you really *hate* this script you can always run
# `iptables --flush; iptables-restore /etc/tables.rules' and get your
# old rules back.
#
# My hope for this script is to be both a learning experience and
# perhaps, if all goes well, an outstanding rc.firewall. Enjoy, and
# remember, all comments, concerns, questions and suggestions are
# welcome.
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

#set up the variables
EXT_IF=eth0
EXT_IP=xxx.xxx.xxx.xxx/32 # for obvious reasons I left out my IP
EXT_NET=xxx.xxx.xxx.xxx/24 # ditto
LOCAL_ADDRS=127.0.0.0/8 xxx.xxx.xxx.xxx/32 # ditto again

########
# Disclaimer: the formatting in vi was more clean, once I pasted it in here
# it did't look so nice.
########

Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.

That's pretty good, only thing I saw wrong was your first variable for the ethernet card was declaring it as 'eht0' and not 'eth0' hehe...other than that, it seems you've done your homework and have read the other web pages on securing a firewall.

Good job!

We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

lol,
Right you are, I guess since i did not call the variable EXT_IF the script didn't choke.

Thanks, Vorlin.

btw I changed it to eth0 incase anyone does want to build functionality into the script and they call EXT_IF...especially if they didn't catch my mistake.

Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.